[CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - ; as a query args separator

@malemburg

BPO	42967
Nosy	@malemburg, @gpshead, @orsenthil, @ned-deily, @mcepl, @merwok, @encukou, @ambv, @serhiy-storchaka, @pablogsal, @miss-islington, @ret2libc, @erlend-aasland, @Fidget-Spinner, @AdamGold
PRs	bpo-42967: Don't treat semicolon as a separator in urllib.parse #24271 bpo-42967: only use '&' as a query string separator #24297 [3.9] bpo-42967: only use '&' as a query string separator (GH-24297) #24528 [3.8] bpo-42967: only use '&' as a query string separator (GH-24297) #24529 [3.7] bpo-42967: only use '&' as a query string separator (GH-24297) #24531 [3.6] bpo-42967: only use '&' as a query string separator (GH-24297) #24532 bpo-42967: Fix urllib.parse docs and make logic clearer #24536 bpo-42967: coerce bytes separator to string in urllib.parse_qs(l) #24818 [3.9] bpo-42967: coerce bytes separator to string in urllib.parse_qs(l) (GH-24818) #25344 [3.8] bpo-42967: coerce bytes separator to string in urllib.parse_qs(l) (GH-24818) #25345
Files	CVE-2021-23336-only-amp-as-query-sep.patch

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/orsenthil'
closed_at = <Date 2021-02-15.19:34:55.754>
created_at = <Date 2021-01-19.15:06:49.941>
labels = ['type-security', '3.8', '3.9', '3.10', 'release-blocker', '3.7', 'library']
title = '[CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator'
updated_at = <Date 2021-11-08.16:47:04.726>
user = 'https://github.com/AdamGold'

bugs.python.org fields:

activity = <Date 2021-11-08.16:47:04.726>
actor = 'vstinner'
assignee = 'orsenthil'
closed = True
closed_date = <Date 2021-02-15.19:34:55.754>
closer = 'orsenthil'
components = ['Library (Lib)']
creation = <Date 2021-01-19.15:06:49.941>
creator = 'AdamGold'
dependencies = []
files = ['49839']
hgrepos = []
issue_num = 42967
keywords = ['patch']
message_count = 57.0
messages = ['385266', '385332', '385337', '385341', '385342', '385344', '385346', '385352', '385495', '385496', '385497', '385513', '385527', '385544', '385549', '385565', '385566', '385567', '385582', '385585', '385590', '385865', '386003', '386785', '386787', '386788', '386954', '386957', '386960', '386968', '386980', '387027', '387037', '387039', '387040', '387045', '387049', '387069', '387638', '387712', '387735', '387756', '388368', '388433', '388434', '388440', '388447', '388486', '388574', '390782', '390784', '390790', '391231', '405721', '405723', '405725', '405728']
nosy_count = 15.0
nosy_names = ['lemburg', 'gregory.p.smith', 'orsenthil', 'ned.deily', 'mcepl', 'eric.araujo', 'petr.viktorin', 'lukasz.langa', 'serhiy.storchaka', 'pablogsal', 'miss-islington', 'rschiron', 'erlendaasland', 'kj', 'AdamGold']
pr_nums = ['24271', '24297', '24528', '24529', '24531', '24532', '24536', '24818', '25344', '25345']
priority = 'release blocker'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue42967'
versions = ['Python 3.6', 'Python 3.7', 'Python 3.8', 'Python 3.9', 'Python 3.10']

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `;` as a query args separator #87133

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

[CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - ; as a query args separator #87133

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions

[CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `;` as a query args separator #87133